Threat intelligence + big data = real security

Threat Intelligence and the use of data to flag critical security indicators were popular topics in Las Vegas at the Black Hat conference in early in August –and for good reason. As enterprises struggle to understand their network vulnerabilities, they have to consider the many layers of defense needed to secure their most valuable data. Security teams are inundated with threat data and overburdened by the need to allot countless man-hours to the task of weeding out the noise from the real threats.

A decade ago, the majority of threat intelligence (TI) occurred in the departments and agencies of the federal government. Now that the needs of the business world have created a demand for threat intelligence, many feds are jumping into the private sector, bringing with them a wealth of knowledge of protocols they can apply to developing commercial products.

Vendors are increasingly creating customer-centric products that’ll make it easier for analysts to do their jobs. A variety of these platforms can be customized to meet the individual needs of different enterprises. Understand, though, that knowledge of these kinds of products is only one part of a mature TI program: organizations also need to conduct an internal risk assessment and design a plan of action.

While TI is fast becoming a crowded category boasting a wide range of platforms and services, these eight products will help any security team make valuable use of their threat data, and tailor a TI program that’s right for their company.

Endgame

Founded in 2008, Endgame provides software solutions to the U.S. Department of Defense, as well as the intelligence community at large. In that capacity, they’ve come up against some fairly sophisticated cyberadversaries in some seriously hostile environments.

Endgame combines the industry's understanding of enterprise vulnerabilities and evolving threats with proven science and the software automation necessary for federal and commercial organizations to "turn the map around" and think like a cybercriminal. Endgame enables customers to successfully automate the hunt and to pursue, contain and eliminate the most advanced threats before they cause damage and loss.

By building on research from the company’s team of data scientists, Endgame claims to create a holistic detection and response strategy, deployable even in virtual environments, to thwart advanced cyberterrorists targeting critical business assets.

ThreatQuotient has studied the threat intelligence arena for the past two years to determine what’s lacking in the industry and what providers need to create commercial platforms. Its president, Wayne Chiang, says “We focus on four key features. Extensibility, enrichment, integration and scoring.”

ThreatQuotient found that threat intelligence providers of commercial platforms provide massive amounts of data, but as Chiang points out, “Security teams can’t take advantage of the data. There is no central depository. As a result, those on the consumption side are forced to pick and choose among the threat data.” ThreatQ, by contrast, aims to allow users to ingest and centralize data and automate deployment.

TruSTAR

With TruSTAR, enterprise security teams can anonymously share incidents and collaborate without worrying about attribution, legal issues or reputational backlash.

Paul Kurtz, CEO of TruSTAR Technology, says, “What we are trying to do is enable companies to share data. We give them anonymity. They can share data with us, and we can correlate that data. We also allow the CISO’s to collaborate by using end-to-end encryption.”

TruSTAR is beta testing its service with 10 Fortune 500 companies. It also has a patent pending algorithm that assures anonymity – users can send reports that can’t be traced back to them.

Anonymity is the key. As Kurtz says, “We need to share across sectors to begin more quickly mitigating attacks. Bad guys are using the same command and control infrastructure to go after multiple sectors, and we are running common hardware and software that everybody uses.” In other words, being a specialist in a silo isn’t going to solve the problem.

BrightPoint

Whether an enterprise wants to know if it’s under attack, or how to respond if it sees odd behavior, threat intelligence can inform its response and determine which threats are actionable.

BrightPoint Security is designed to provide a threat intelligence platform that automates the process of collecting, analyzing, correlating and securely sharing structured and unstructured data on both current and emerging cyberthreats. BrightPoint’s criteria includes ingesting both structured and non-structured threat feeds, but they also prioritize sharing with other trusted groups and visualization.

It’s this sharing that users most value, according to the Enterprise Strategy Group's 2015 Threat Intelligence Survey It includes sharing threat intel info between federal agencies and private organizations alike. Platforms like BrightPoint help automate that process.

Norse

Norse provides live attack intelligence, and claims its hybrid model – which combines both automated and human threat monitoring – can help companies block the threats that other systems miss. Serving financial, government and technology organizations, the Norse Intelligence Network is recognized as a global leader in threat detection with its worldwide “distant early warning” grid of millions of sensors, honeypots, crawlers and agents. Their Norse Attack Map, in fact, shows in real-time the sum total of the cyberattacks happening on the Norse network, including detailed information about where the attacks came from, where they're going, type of attacks, and more.

Webroot

Webroot has studied malicious web activity for more than 15 years and Grayson Milbourne, security intelligence director, claims that, “5 percent of all websites are either malicious or suspicious.” While that number seems low, it still works out to about 20 million websites.

Webroot’s BrightCloud threat intelligence services platform uses a machine learning technology that allows them to draw correlations among the massive volume of data they collect. They offer real time anti-phishing technology, and a scoring system that they claim helps them identify and negate 99 percent of encountered threats.

Their technology also employs active learning with an immediate feedback loop as a way to retrain their machine learning models, which allows Webroot’s researchers to adjust confidence dynamically.

Twistlock

Twistlock wants to address the foremost obstacle to container adoption: security. With an integrated intelligence stream of the latest CVEs and security standards, their solution tool offers granular security policy enforcement for containers and their content with advanced authentication and authorization capabilities.

Twistlock’s architecture has three levels. First, an intelligence stream offers near real-time consolidation of CVEs and recommended configurations from open source, vendor and governmental data sources. The second level, the container console, consumes the intelligence stream. The third is the container defender, which consumes and enforces the defense policies.

LogRhythm

LogRhythm claims to reduce the amount of time it takes organizations to detect cyberintruders before they get a foothold and do any real damage. Its Holistic Threat Analytics Suite purports to detect behavioral anomalies by analyzing a number of potential entryways – users, networks and endpoints – allowing their software to identify a variety of system compromises that originate from advanced cyberthreats. The Holistic Suite is comprised of three different modules: The newest, Endpoint Threat Analytics Module, joins LogRhythm’s User Threat Analytics Module and Network Threat Analytics Module, and, combined, should allow customers to detect intrusions earlier, regardless of where those intrusions originate.

LogRhythm also incorporates real-time threat intelligence data from leading commercial vendors and an array of open source intelligence feeds, which allows them to help their customers connect the cybersecurity dots to the data they’re already collecting, processing and analyzing, which, in turn, should help them take whatever countermeasures they need to protect themselves from a major breach.